""ET INFO Possible EXE Download From Suspicious TLD (.accountant) - set""

SID: 2023460

Revision: 1

Class Type: misc-activity

Metadata: affected_product Any, attack_target Client_and_Server, created_at 2016_10_27, signature_severity Minor, updated_at 2016_10_27

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: ".accountant|0d 0a|"

Within:

PCRE: "/^Host\x3a[^\r\n]+.accountant(?:\x3a\d{1,5})?\r?$/Hmi"

Special Options:

• http_header

source